Welcome! Log In Create A New Profile

Advanced

[PHP] File Permissions?

Posted by Tedd Sperling 
Tedd Sperling
[PHP] File Permissions?
August 16, 2017 06:10PM
Hi Gang:

We had an incident happen at the college where I teach — the IT guy said:

> After further inquiry, it appears a bad guy used a php vulnerability injection over http to enter into a folder on CITW. This was made possible because the permissions were misconfigured (execute was set to 755 instead of normal 644).


My understanding of permissions is that 755 is normally thought of as secure — is that not true?

My thanks in advance for any clarification or advice.

Thank you,

tedd
_______________
tedd sperling
tedd@sperling.com





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Adam Jon Richardson
Re: [PHP] File Permissions?
August 16, 2017 06:20PM
On Wed, Aug 16, 2017 at 12:02 PM, Tedd Sperling <[email protected]> wrote:
>
> We had an incident happen at the college where I teach — the IT guy said:
>
> > After further inquiry, it appears a bad guy used a php vulnerability
> injection over http to enter into a folder on CITW. This was made
> possible because the permissions were misconfigured (execute was set to 755
> instead of normal 644).
>
>
> My understanding of permissions is that 755 is normally thought of as
> secure — is that not true?
>

755 is typical for directories, but 644 for files.

https://premium.wpmudev.org/blog/understanding-file-permissions/

That said, I often even reduce the permissions beyond 644 in production
environments.

Adam
Tedd Sperling
Re: [PHP] File Permissions?
August 16, 2017 06:50PM
> On Aug 16, 2017, at 12:10 PM, Adam Jon Richardson <[email protected]> wrote:
>
> 755 is typical for directories, but 644 for files.
>
> -snip-
>
> Adam

Adam:

If you set a file to 755, then how does bad guy do bad things with it?

Certainly, with 755 the owner can do anything he wants (read, write, execute), but the “group” and “everyone else” can only read and execute (5) the file — there is no “write” to the file. Without a “write”, then how can a bad guy change/upload a file?

There is something here I am not understanding. Please explain.

Cheers,

tedd

_______________
tedd sperling
tedd@sperling.com






--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Richard
Re: [PHP] File Permissions?
August 16, 2017 07:00PM
> Date: Wednesday, August 16, 2017 12:43:50 -0400
> From: Tedd Sperling <[email protected]>
>
>> On Aug 16, 2017, at 12:10 PM, Adam Jon Richardson
>> <[email protected]> wrote:
>>
>> 755 is typical for directories, but 644 for files.
>>
>
> Adam:
>
> If you set a file to 755, then how does bad guy do bad things with
> it?
>
> Certainly, with 755 the owner can do anything he wants (read,
> write, execute), but the “group” and “everyone else” can
> only read and execute (5) the file — there is no “write” to
> the file. Without a “write”, then how can a bad guy
> change/upload a file?
>
> There is something here I am not understanding. Please explain.
>
> Cheers,
>
> tedd

The question is not just permissions, but also ownerships. If the
directories/files are owned by the user that the web server runs as
(a disturbingly frequent recommendation) then all bets are off.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Adam Jon Richardson
Re: [PHP] File Permissions?
August 16, 2017 07:00PM
On Wed, Aug 16, 2017 at 12:43 PM Tedd Sperling <[email protected]> wrote:

>
> Adam:
>
> If you set a file to 755, then how does bad guy do bad things with it?
>
> Certainly, with 755 the owner can do anything he wants (read, write,
> execute), but the “group” and “everyone else” can only read and execute (5)
> the file — there is no “write” to the file. Without a “write”, then how can
> a bad guy change/upload a file?


When I get back to my computer in a couple hours, I'll send some exploit
examples :) (I'm out with my daughters for a bit for school shopping)

Adam
Narcis Garcia
Re: [PHP] File Permissions?
August 16, 2017 07:40PM
Unix permissions assignments: owner, group, others
755 = owner:7, group:5, others:5

In octal, 7 is full permission for anything (file/directory): read +
write + execute.

An example: If some file (e.g. index.php) is assigned to
webservice:users (owner user "webservice", group "users") and has 755
permissions, it means that any action called from a process running as
"webservice" account can do anything over that file, members of group
"users" can only read & execute, and others can also read & execute.

For the same case in a directory (permissions 755), concrete consequence
is that the owner ("webservice") can CREATE files in it and give them
the desired permissions.

How can a web visitor make use of "webservice" account?
If your HTTP server software runs as "webservice", then any .php script
runs with same account permissions. If you have a .php script that
allows visitor to upload or create other PHP files, you have the door
open to a bad guy creates his own pages/scripts with server's filesystem
access (only restricted by open_basedir directive).


El 16/08/17 a les 18:43, Tedd Sperling ha escrit:
>
>> On Aug 16, 2017, at 12:10 PM, Adam Jon Richardson <[email protected]> wrote:
>>
>> 755 is typical for directories, but 644 for files.
>>
>> -snip-
>>
>> Adam
>
> Adam:
>
> If you set a file to 755, then how does bad guy do bad things with it?
>
> Certainly, with 755 the owner can do anything he wants (read, write, execute), but the “group” and “everyone else” can only read and execute (5) the file — there is no “write” to the file. Without a “write”, then how can a bad guy change/upload a file?
>
> There is something here I am not understanding. Please explain.
>
> Cheers,
>
> tedd
>
> _______________
> tedd sperling
> tedd@sperling.com
>
>
>
>
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry, only registered users may post in this forum.

Click here to login